Symantec has issued an advisory, warning users that its pcAnywhere remote screen sharing software is vulnerable to a man-in-the-middle attack, and urging them to disable it until a security update is rolled
It is possible that successful man-in-the-middle attacks may occur depending on the configuration and use of the product.
The company said pcAnywhere users are at an increased risk due to the theft of source code from its servers that took place in 2006. The Symantec breach also exposed the source code of early versions of Norton Antivirus Corporate Edition, Norton Internet Security and SystemWorks surfaced.
The 2006-era software poses no risk to current Norton customers, but the security giant said its pcAnywhere users can be targeted by attackers.
The pcAnywhere remote access software is used by some enterprises for help desk support and issue resolution. Companies can use the software in conjunction with the pcAnywhere Access Server for multiple connections and to avoid issues with company firewalls or NAT devices.
“Our current analysis shows all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers using prior versions of the product,” Symantec said in its advisory.
Companies may have pcAnywhere deployed because it is bundled with numerous Symantec products, according to the advisory. “The full standalone product is bundled in a number of Altiris-based solutions. A remote access component of pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a number of Symantec backup and security products,” Symantec said.
Symantec issued a patch on Monday addressing three vulnerabilities in pcAnywhere running on Windows. Additional patches are planned this week for pcAnywhere versions 12.0, 12.1 and 12.5. The company said additional patches will be issued until a new version of pcAnywhere is released.
Man-in-the-middle attacks, unauthorized network access possible
In a white paper entitled, “Symantec pcAnywhere Security Recommendations” (.pdf), Symantec said the encoding and encryption elements within pcAnywhere are vulnerable.
“It is possible that successful man-in-the-middle attacks may occur depending on the configuration and use of the product,” Symantec said. “If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.”
A Symantec spokesperson said the company is unaware of any ongoing attacks.
It is also possible that an attacker can obtain the cryptographic key and launch unauthorized remote control sessions, gaining access to other systems using Active Directory credentials, Symantec said.
Company environments that use pcAnywhere internally are also at risk, Symantec said. The attack would have to be carried out by a malicious insider.
Symantec advises users to block pcAnywhere assigned ports and use secure VPN tunnels for remote access.